CentOS 5.1 Miscellaneous Configuration Items

A cheatsheet to myself for basic things I configure in my server
Robin Whittle rw@firstpr.com.au 2008-04-27
 (Minor update 2008-10-24  Important update for the namesever config, 2009-05-14)

../ Back to the parent directory concerning web-mail, modifications to Courier Maildrop etc.


Before detailing how I installed and configured the email software, I did some other things to bring the fresh install up to speed in my system.  This page is my cheatsheet for the next time I do this stuff.

I did all this work while the new machine was nair.firstpr.com.au on, while the currently operating server gair.firstpr.com.au is on, and with a public IP address via its ADSL link, is operating with the old RH 7.2 system.

Also, here are some notes which might be useful for newbies,

The machine boots into X Windows and I log in as "robin".  I can run a terminal from there and log in as root via "su -".  From there I can run Midnight Commander (mc) or anything else.  

I can also switch back to a text-mode (curses) plain VGA console, not using X Windows.  (How to set these up for more lines and characters than 24 x 80?? To-do: follow this up via http://lists.debian.org/debian-user/2006/09/msg00484.html )

From X, Cntrl Alt F1 to Cntrl Alt F6 brings up one of the plain text consoles.  From those, the same combinations switch to the others, and Cntrl Alt F7 switches back to X.

Updating the system: installing security updates etc.

The update process is remarkably easy:

yum update

NFS links to other machines

Before setting up NFS, add lines to /etc/hosts so this machine knows the addresses of others on the LAN, such as: gair.firstpr.com.au gair egan.firstpr.com.au egan

I want this machine (now nair but later gair) to be able to read the two NFS exports from my other linux machine egan. egan has two NFS exports: / and /audio.  /audio is a separate partition, so it needs a separate export. (I don't attempt to export egan's /var/log, which is a separate partition too.)  

I add a /nfs directory where I will add further directories for mounting these two exports for egan:


When this is working, the directory /nfs/egan has a directory /nfs/egan/audio but it is empty.  /nfs/egan-audio is the directory for accessing egan's /audio directory.

Then I add these lines to /etc/fstab:

egan.firstpr.com.au:/       /nfs/egan           nfs     exec,dev,suid,rw 0 0
egan.firstpr.com.au:/audio/ /nfs/egan-audio     nfs     exec,dev,suid,rw 0 0

and give the commands:

mount /nfs/egan
mount /nfs/egan-audio

Now I export this machine's / and /audio directories similarly, by adding these lines to /etc/exports (which is initially empty):


There's no-doubt a way of exporting them immediately, but this will take effect on the next boot.

I will copy stuff (mailboxes, large quantities of other data etc.) from the current gair to this machine nair, so I do the above for gair as well.


I want my local Windows machines to be able to look into, read and write some parts of this machine's file system once it becomes gair.  When it becomes gair, I will configure /etc/samba/smb.conf .

Configuring Midnight Commander

Options > Configuration >
Turn on: show backup files and hidden files.
Pause after run: Always.
Maybe turn on "safe delete"

Midnight Commander's line-drawing characters looks bad with PuTTY's default settings. (PuTTY is a nice Windows program for SSH, telnet etc. http://www.chiark.greenend.org.uk/~sgtatham/putty/ - with a Unix version available as source code ...).  The solution is to change PuTTY's configuration: Window > Translation > Received data assumed to be in which character set: from "ISO-8859-1:1998 (Latin-1, West Europe)" to "UTF-8".  I prefer to use PuTTY from Windows because I like the copy (Shift and drag cursor) and paste (shift and right click trackball/mouse).  Also, the full set of function keys work directly, including F10 for exit, which is typically not the case when running it from an Xterm. F9 pulls down one of mc's menus and then the cursor keys can be used to change the menu or select an item.

I use a different colour scheme: midnight-commander-colors.png than the usual blue and white.  There is a section in "man mc" on this.  This can be done with environment variables, but I use a new section in the /root/.mc/ini, which needs to be all on one line with no spaces. That text is here: midnight-commander-colors.txt .  Reformatted into multiple lines, it is: 


I make one of these colours different on every machine - gair, egan and my server in the USA.  This gives me a visual cue which machine I am working on when I have multiple PuTTY sessions with these various machines.  The one I change is "selected".  This form:


gives the green backgound and black text of the top section (Left, File, Command, Options, Right) and the highlight (like a cursor) bar, which in the image is selecting the file 0-ps-listing.  I have a different background colour for each machine.

To do this with Midnight Commander's editor, first copy the file midnight-commander-colors.txt to the /root/.mc/ directory.  Then use mc to select and edit the ini file.  F9 and left arrows brings down the File menu, and from there it is possible to insert a file.  F10 enables the resulting file to be saved, but better to use File Save As to save it to ini-color.  The File Insert File and File Copy to File are the closest thing it has to a clipboard between editing differernt files, since the default filename for both is the same: /root/mc/cedit/cooledit.clip .

"man mc" has all sorts of interesting stuff.  I should read it some day.  (To-do - how to write the output of man, such as "man mc" to a file?  I used to know, at least for info, rather than man.)

Various shell scripts

There are a few shell scripts I keep in /root:

Firstly, two which produce text files with two differing types of output from ps: 0-ps-listing.sh and 1-ps-listing.sh.  Each produces two files with their own names, and this enables me to compare one state of affairs with another.  


ps laxww > 0ps-lax.txt
ps faxww > 0ps-fax.txt
Output files from the freshly installed machine are: 0ps-lax.txt and 0ps-fax.txt .

I have another script to write the output of df to a file where I can view it conveniently.  df lists the capacity and usage of the various aspects of the file system.


I change the port on which the SSH daemon accepts incoming sessions.  This reduces the amount of attack attempts.  I change the line in /etc/ssh/sshd_config:

#Port 22

to be something like:

Port 99

but not with 99.

Get rid of vi and install joe

Life is too short for me to memorise how vi works.  I am enough of a geek as it is.

vi gives no on-screen cues as to what is happening, or how to get out of the thing.

Note to self: to exit from vi, try one of these:

: q! (Enter)
Cntrl-C : : q! (Enter)

I install the joe package (Joe's Own Editor) with "yum install joe"  This gets it from (where) over the Net and installs it.  (I first verified it was available by using "yum list > yum-list.txt", which tells me which packages, are installed and which are available.

Since some programs automatically fire up vi to edit some file and I never want to use vi, I change /bin/vi into a symlink pointing to the joe executable.

Now for the tricky stuff:

Rename /bin/vi to /bin/vi-orig

Make /bin/vi a symlink to the joe executable /usr/bin/joe .

Then, to keep joe happy when it is called by a file of name "vi", create a symlink called "virc" in /etc/joe (was /usr/lib/joe/ ) and point it to joerc in that directory.

joe used to have on-screen help turned on by default.  Now it doesn't, so it is as confusing as vi unless I remember Wordstar's "Control K H"!  Fix this by editing /etc/joe/joerc so that there is a line without a space at the start, just: "-help".

Updates, RPMs and yum

I need to read: http://www.centos.org/docs/5/html/yum/

Updates are done automatically at 4AM every day?


To list currently installed and available packages:

yum list > yum-list.txt

To list the location of files in a particular package which is already installed??

This lists the files within an RPM file:
rpm -q -p <filename> -l 

ADSL via PPPoE via eth1

This is what I did to the machine called "nair" which will be the new "gair".  While I am getting it ready, another machine is being gair, and is connected to the Net via a single fixed IP address ADSL connection.  When I switch nair over to be the new gair, I want to be sure the ADSL link will work.  So I need to test it while the machine is still nair, with its address on the LAN, without disturbing gair, which is

The plan is to set up eth0 and PPP networking so it looks like it will work. Then I will turn off Postfix on nair.  This is so it doesn't accept any messages while it is connected to the Net.  Then I will try plugging the modem into nair and test it works.  Then I will plug the modem back into the old gair, while I do thee rest of the work on nair.  Finally, I will disconnect the ADSL modem (though turning off Postfix in the old gair would suffice), copy over all the emails to nair (which is the last of the data to be copied) turn off the old gair ("Stop . . . Dave . . . . . ) and reconfigure a few things in nair (hostname, LAN IP address) so it is the new gair.  Then when I plug the modem into nair, it should be the new gair and emails can come in, be filtered etc. and delivered to local user accounts.

Setting up the modem

I am using an Internode fixed IP address DSL service, via a Telstra DSLAM.  

Initially (this was in 2006) I set up the new modem using a Win2k machine.  Here are my notes on setting up the D-Link DSL-502T "router" (I call it a modem here, though it is both a modem and a router).  This first section was just to test the ADSL service, which I had not used before:

From the Win2k machine I used an Ethernet card (the motherboard's Ethernet card was on the LAN) and a normal cable to the modem.  That NIC is set up in Windows to be DHCP - a client, to obtain its IP address from a DHCP server in the network it is connected to.  I left the LAN cable plugged in, but modified the properties of that connection so that there was no default route to the old gair on the LAN (which was connected to the Net via a 56k modem).  This means that when I get this modem going, the Win2K will be able to access the Net via the ADSL service.

The modem has such a DHCP server, at least in its out of the box default configuration.  Then I use a web browser to access, where I find some pages on the modem. 

This Internode service uses "PPP0E LLC".

In the WAN settings page, entered these details, by a method described below:
Plug in Ethernet cable and phone line cable.

Fire up with user "admin" and password "admin".

In the Home: WAN section, enter the details in red above.

Do not use the Connect button.  Use the Apply button.  The a page comes up where I Save and Reboot the router.

Wait for the browser page to be refreshed.  This can take nearly a minute.

Home: WAN.  It will not be connected yet, but the details are saved in FLASH.  Click the Connect button.  Hmmm - it didn't connect, but at least it didn't clobber the details I just put in.

At this point, the Status LED is flashing.  The ADSL LED is On (though it may fluctuate) and so is the Ethernet LED.

Reboot the Windows machine and turn the router off and on.

Now it simply works.  As long as no other network interface has a default route, it seems that the Windows machine uses DHCP to get an IP address, network address, subnet mask, name servers etc. The address the Win2K machine was given was

I can still use the browser to talk to the router: with user "admin" and password "admin".

In the DHCP section, I see  There are options there for a "static" DHCP server and for no DHCP server.

On the DNS page there are the two name servers of Internode: and  So the modem must have got these details via PPP from Internode.

This is the usual approach - having the PPP client in the ADSL modem:
This can support multiple computers by use of an Ethernet switch.  Each gets a local, private, IP address via DHCP and accesses the Net via NAT in the ADSL modem.

This is NOT the way I want to run the modem for the Linux machine.  The Linux machine needs to be the router, doing NAT etc. for the LAN, and having the single fixed IP address of this ADSL service as its public address.
Now, to configure the modem ready for use with the Linux machine.  These notes were written in May 2008 based on my May 2006 intitial configuration notes, which were based on some Internode pages which no longer exist in 2008.  There is no information on the Internode site for my specific model of modem - DSL-502T.

My service is a SOHO-High-Power10 .

The general configuration information at Internode:



ADSL Username: username@internode.on.net
Encapsulation: PPPoA / VC MUX - Standard ADSL
Authentication Method: CHAP or PAP
Supported Modulation Types: G.DMT (Standard ADSL)
G.DMT.bis (ADSL2)
G.DMT.bis+ [plus] (ADSL2+)
Annex M (SOHO/Business Plans Only)
Multimode (Recommended)
VPI/VCI: 8/35

Although I don't think this service is ADSL2+, PPPoE has always worked.  There is a detailed tutorial on PPP over Ethernet by David F. Skoll at: http://www.roaringpenguin.com/files/pppoe-slides.pdf .  The DSL-502T was introduced in early 2005 (I think) - the same time as the DSL-504.  Internode has a guide for configuring the DSL-504 here  .  It uses to access the modem/router, whereas mine uses this Internode guide is for PPPoA, not PPPoE.  For some reason I can't remember, I believe I need PPPoE.

What I finaly did was:

At (still accessing the modem via the Windows machine) this looks pretty straightforward.  Select the WAN button on the left menu and click the radio button for "Bridge Mode".  If the page reloads to some Wizard thing, do it again until a page appears with these options:
Connection type:
  • 1483 Bridged IP LLC  <<<<<<<< Select this
  • 1483 Bridged IP VC-Mux
The LLC accords with the "PPPoE(LLC)" encapsulation, as mentioned in Internode's configuation details and the fact that we are using a PPPoE client in gair.  IF we were using PPPoA (over ATM) then we would select the other one, because Internode also support (and prefer) "PPPoA (VC)".
ATM VC Setting
PVC: Pvc0 <<< not one of the others, I guess.  (Manual says don't change it.)

VPI: 8 <<< Default, and as specified by Internode.
VCI: 35 <<< Default, and as specified by Internode.

Virtual Circuit: Enabled  <<< Default, so why change it?
By using "Apply" I can write this to FLASH, and then it won't do ADSL with the Windows machine.  Indeed - but the Windows machine, with its DCHP client, still connects and the web-server in the modem still works.
There is a lot of stuff under Advanced, including "Bridge Filters".

The Tools section has a way to load the configuration to a hard drive and restore it. Firmware version V2.00B02.AU .

Configuring PPPoE on Linux

Whirlpool's link farm: http://whirlpool.net.au/faq-ab.cfm#3.4.3 directed me to Rebecca's guide: http://www.becsta.net/adsl.html which in my interpretation boils down to:

Configure the network card - it needs to be "up" with no IP address or anything else. Do not set the interface to "dhcp", use pump or dhcpcd or anything like that on the interface. A simple "ifconfig eth1 up" should suffice.

Install rp-pppoe. (rp means Roaring Penguin: .

Run adsl-setup.

Run adsl-start.

"As for routing, let the PPP daemon work it all out. When the PPP daemon has negotiated a PPP session, it should set the default route to the be other end of the ADSL connection."

With Red Hat 7.2 in 2006I had to install the rp-pppoe RPM.  However, I find from "yum --list" that rp-pppoe.i386 3.5-32.1 is already installed.

This motherboard has two PIC 100Mbps Ethernet cards, both old but good Intel NICs.  They are discovered and assigned numbers eth0, eth1 etc. in order of the PCI socket they are in, and for this motherboard, eth0 is nearest the keyboard connector.  eth1 was not configured when I installed CentOS 5.1, and all there is in terms of configuration at present is the file /etc/sysconfig/network-scripts/ifcfg-eth1: (See below for ifcfg-eth0.)

# Intel Corporation 82557/8/9 Ethernet Pro 100

With RH7.2, I started with something much more minimal, so I edited this file to be like the following.    

# Intel Corporation 82557/8/9 Ethernet Pro 100

In my setup it was essential to get rid of the BOOTPROTO line. (Maybe "BOOTPROTO=none" would be fine too.) With it set to "dhcp", the machine would successfully use dhcp to get an address from the ADSL modem's dhcp server, which also caused it to get a nameserver address - an address such as which is the ADSL modem, and write this to /etc/resolve.conf.

(Saving this from Midnight Comander's editor lead to a message about hard links - I did not detach them.  I later noticed that these two files ifcfg-eth0 and ifcfg-eth1 also appear at /etc/sysconfig/networking/devices/ and /etc/sysconfig/networking/profiles/default/ .)

Now I run adsl-setup, with the following hightlights:

login name: my Internode account name, which looks like an email address:  xxx@internode.on.net

interface eth1

I want this link to stay up permanently, so I enter "no".

Address of ISP's DNS servers: and

I enter my password - this is the CHAP password Internode gave me.

User control: no.

I choose '2' for the Masquerade type of firewall: NAT, so local LAN machines can access the Net via NAT translation in this gateway machine, which will have as its IP address on the LAN:  Other machines on the LAN will have this address as their Default Gateway.

Start the connection at boot time? yes.

This creates a file: /etc/sysconfig/network-scripts/ifcfg-ppp0 and a new directory /etc/ppp, containing a bunch of stuff, including /etc/ppp/chap-secrets. More on these new files in a moment.  The program also instructed me:

Congratulations, it should be all set up!

Type '/sbin/ifup ppp0' to bring up your xDSL link and '/sbin/ifdown ppp0'
to bring it down.
Type '/sbin/adsl-status /etc/sysconfig/network-scripts/ifcfg-ppp0'
to see the link status.

The files in /etc/ppp/ are (* means executable in Midnight Commander's display):

/peers                                      (empty)
 chap-secrets              119 May  5 15:09
 chap-secrets.bak           78 May  5 15:09
 firewall-masq            1042 Jan  7  2007
 firewall-standalone       913 Jan  7  2007
*ip-down                   386 Jul 11  2006
*ip-down.ipv6to4          3485 Sep 12  2006
*ip-up                     430 Mar 20  2006
*ip-up.ipv6to4            6687 Sep 12  2006
*ipv6-down                1916 Sep 12  2006
*ipv6-up                  3369 Sep 12  2006
 options                     5 Mar 15  2007
 pap-secrets               118 May  5 15:09
 pap-secrets.bak      ?     77 May  5 15:09
 pppoe-server-options      104 Jan  7  2007

Those of interest are:




# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
"xxx@internode.on.net"      *       "yyyyyyyyy"


# firewall-masq         This script sets up firewall rules for a machine
#                       acting as a masquerading gateway
# Copyright (C) 2000 Roaring Penguin Software Inc.  This software may
# be distributed under the terms of the GNU General Public License, version
# 2 or any later version.

# Interface to Internet


iptables -P INPUT ACCEPT
iptables -P FORWARD DROP

iptables -F FORWARD
iptables -F INPUT
iptables -F OUTPUT
iptables -F -t nat

# Deny TCP and UDP packets to privileged ports
iptables -A INPUT -i $EXTIF -d $ANY -p tcp --dport 0:1023 -j DROP
iptables -A INPUT -i $EXTIF -d $ANY -p udp --dport 0:1023 -j DROP

# Deny TCP connection attempts
iptables -A INPUT -i $EXTIF -p tcp --syn -j DROP

# Deny ICMP echo-requests
iptables -A INPUT -i $EXTIF -s $ANY -p icmp --icmp-type echo-request -j DROP

# Do masquerading
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr



There is also /etc/resolve.conf


To test it, I disable Postfix  "postfix stop" and turn off the default gateway setting which currently points to (the old gair, which right now has the modem).  In /etc/sysconfig/network I remove the last line:


and restart networking:

/etc/rc.d/init.d/network restart

but before I do that, I connect eth1 to the modem.  I was surprised to see this didn't upset the SSH session with PuTTY on the Windows machine, via which I gave this command.  The output was:

Shutting down interface eth0:                              [  OK  ]
Shutting down loopback interface:                          [  OK  ]
Disabling IPv4 packet forwarding:  net.ipv4.ip_forward = 0
                                                           [  OK  ]
Bringing up loopback interface:                            [  OK  ]
Bringing up interface eth0:                                [  OK  ]
Bringing up interface eth1:                                [  OK  ]
Bringing up interface ppp0:                                [  OK  ]

Looking in /var/log/messages I was encouraged by a bunch of stuff, ending with:

May  5 15:38:03 nair pppoe[1079]: PPP session is 7394
May  5 15:38:04 nair pppd[1078]: CHAP authentication succeeded
May  5 15:38:04 nair pppd[1078]: CHAP authentication succeeded
May  5 15:38:05 nair pppd[1078]: local  IP address
May  5 15:38:05 nair pppd[1078]: remote IP address

I was able to ping my server in the USA, by its IP address - but not by referring to it as ww.firstpr.com.au.

There must be some nameserver trouble, but at least I am on the Net with this connection.

Final transfer of data . . .

Now that nair (the machine which is about to be gair) is on the Net, but still has on the LAN (with the old gair with, and no ADSL modem connection to the Net) I decide to transfer all emails from the home accounts in the old gair to the new machine, and to transfer the mail filtering commands in each user's .mailfilter file.  This means some editing, since the exact way I call Spamassassin and do the filtering of spam etc. has changed a little.  However, most of the filtering is to do with mailing lists, and since the new machine has idential mailboxes to the old, all those filtering commands are copied directly into the new .mailfilter file.  While this is happening, Postfix is disabled, so incoming messages are either being held at the sending MTA or being sent to the backup server for this domain, at my USA-based server.  

When I turn this machine into the new gair (changing its hostname and IP address) and when I get its nameserver configured correctly, and turn on Postfix, then the messages will come in to the new machine.  The old one will be off the LAN by then, because the new machine will have and so be the default gateway for other machines on the LAN.

The emails I transferred en-mass with a copy of the Maildir directory with Midnight Commander, using the link to the old gair via /nfs/gair.  (Tar-Gzipping them would have been another option - and then transferring the single file.) To do this, I needed to add an export of the /home directory to the old gair, since it was a different partition.  This involved a new line in gair's /etc/exports:

Then in gair:

/etc/rc.d/init.d/nfs restart

Then I needed to add a directory in nair: /nfs/gair-home and give it an entry in nair's fstab:

gair.firstpr.com.au:/home/  /nfs/gair-home      nfs     exec,dev,suid,rw 0 0

Then I mounted it in nair's filing system:

mount /nfs/gair-home

Then I ran a command in the home directory of each user to recursively change the user and group of all the files and sub-directories in Maildir.

chown -R xxx:xxx Maildir

Then I fixed up the .mailfilter files, as noted above.  I already know the IMAP server works, so I need to configure Postfix to perform its role in gair.

Changing the machine over to be the real server

I made the old gair (10.0.01) appear on the network in another address with another name - oldgair.  

To give it its new name and make it use as its default gateway, I changed its file /etc/sysconfig/network from:


I also edited the IP address line in /etc/sysconfig/network-scripts/ifcfg-eth0 and then giving the command /etc/rc.d/init.d/network restart

This did not change this machine's idea of itself as "gair", so I rebooted it. Then it knew its new name.  (Along with loading a new kernel, it seems that changing the hostname is something which really does require a reboot in Linux.  Everything else can be done without a reboot.)

(I probably need to change the hostname specified for localhost in /etc/hosts too.)

To change the nair machine ( to its new role as gair ( I did this:

Changed the host name nair to gair in /etc/sysconfig/network :

(Where was it configured to use as its gateway -to send packets to when they are not addressed to any machine on the LAN??)

Then I changed its IP address in /etc/sysconfig/network-scripts/ifcfg-eth0 from to
 # Intel Corporation 82557/8/9 Ethernet Pro 100

I did not detach hardlinks before saving.

(See below where I change /etc/hosts - I should have done this now.

Then I rebooted this machine, and it came to life as gair on  (This is without the ADSL modem being plugged in.)

Without the Ethernet cable going to the modem, the "Bringing up interface ppp0" takes a minute or so before it fails and the boot procedure continues.

I changed a few things so it could do nfs to the other Linux machine, and the oldgair machine.

Then I turned off Postfix:  "postfix stop" and plugged in the ADSL modem.

The PPP process doesn't necessarily retry immediately, I think. I couldn't ping a server outside.  So I tried /etc/rc.d/init.d/network restart This went well, and I could ping outside servers.

The web browser on gair could access outside servers, such as mine in the USA, by IP address - but not by hostname.

Clearly there is something wrong with gair's nameserver configuration.

Also, the NAT system was not working - other machines on the LAN which use as their default gateway could not access the net.

Pinging  localhost revealed that while this machine's logon name (in my root shell) was gair, when it pinged itself, it reported this as "nair.firstpr.com.au".  

This turned out to be due to mentioning "nair" in /etc/hosts.

Here is the new version of that file, with some other machines from the LAN listed as well.

# Do not remove the following line, or various programs
# that require network functionality will fail.               gair.firstpr.com.au gair localhost.localdomain localhost
::1             localhost6.localdomain6 localhost6 gair.firstpr.com.au gair nair.firstpr.com.au nair egan.firstpr.com.au egan

I rebooted the machine.  ping localhost worked fine.  It could ping itself, another machine on the LAN and machines outside, by IP address.  Other machines can ping this one, but none of them can use DNS and none can ping through this machine to the outside world.  So the NAT system and the nameserver needs fixing.

I see which services should be running: chkconfig --list Here are a few interesting items:

dnsmasq         0:off   1:off   2:off   3:off   4:off   5:off   6:off
httpd           0:off   1:off   2:off   3:off   4:off   5:off   6:off
iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off
named           0:off   1:off   2:off   3:off   4:off   5:off   6:off
nfs             0:off   1:off   2:off   3:off   4:off   5:off   6:off
postgresql      0:off   1:off   2:off   3:off   4:off   5:off   6:off
smb             0:off   1:off   2:off   3:off   4:off   5:off   6:off

I have not used dnsmasq before, and I have not yet configured named.  I will configure /etc/exports and turn on nfs.  Likewise, I will later configure Samba and turn on smb.  iptables is supposely running, and somehow the PPP process was supposed to load rules into it to make it do NAT (IP masquerading).  I want to turn on Apache too.  So I tun on various things with chkconfig xxx on and then by manually starting them with /etc/rc.d/init.d/xxx start.

First httpd. Apache works fine for machines on the LAN with

I turn on dnsmasq the same way, but it won't start (failed to create listening socket: Address already in use)   Restart failed when stopping, but then was  OK for starting.  However, I was only trying to look up hostnames in my own domain.  Now, nslookup www.ibm.com works fine.  This machine's web browser is fine accessing www.ibm.com.

The reason it won't work for my own machines is that gair is an authoritative nameserver for them, and I haven't yet set up or even started named!

dnsmasq is not really what I want (I later turned it off), so I need to set up named . . . but why isn't NAT working?

I also changed the courier IMAPD configuration so it would respond to IMAP requests from the LAN and from localhost.  I decided not to allow IMAP from the outside world. /usr/lib/courier-imap/etc/imapd ADDRESS=, /etc/rc.d/init.d/courier-imap restart.

NAT (IP Masquerading Firewall)

To find out what is going on, I list the rules iptables is using:

iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps
DROP       tcp  --  anywhere             anywhere            tcp dpts:0:1023
DROP       udp  --  anywhere             anywhere            udp dpts:0:1023
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN
DROP       icmp --  anywhere             anywhere            icmp echo-request

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere       state RELATED,ESTABLISHED
ACCEPT     all  --     anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

In my previous installation (RH7.2) I used my own ipchains NAT script, which I ran as part of the boot up sequence.  Below is how I adapted that to iptables and used it on this CentOS 5.1 system.

First, how would the rp-ppoe system run the firewall script it placed in /etc/ppp/firewall-masq?  

I began by listing the contents of the rp-pppoe RPM:

rpm -ql rp-pppoe


The script which looks for "FIREWALL" is /sbin/adsl-connect:

case "$FIREWALL" in
        . /etc/ppp/firewall-standalone
        . /etc/ppp/firewall-masq

but both these scripts are not executable at present.  Do they need to be?

I will replace /etc/ppp/firewall-masq with my own modified version and see if it works.

A new version of /etc/ppp/firewall-masq: I made it owner root, group root, 755, but probably something more restrictive would be better.

# firewall-masq        This script sets up firewall rules for a machine
#                       acting as a masquerading gateway
# Copyright (C) 2000 Roaring Penguin Software Inc.  This software may
# be distributed under the terms of the GNU General Public License, version
# 2 or any later version.

# RW -------------
# Modifications by Robin Whittle to make it specific to ppp0 and to
# allow connections from the outside world, except for particular ports,
# whereas the original version blocked all incoming packets for UDP and
# TCP ports 0 to 1023.

# Interface to Internet
# RW EXTIF=ppp+


# RW  Set the policies for the three tables.

iptables -P INPUT ACCEPT
iptables -P FORWARD DROP

# RW Flush existing rules.

iptables -F FORWARD
iptables -F INPUT
iptables -F OUTPUT
iptables -F -t nat

# RW We don't do this:

## Deny TCP and UDP packets to privileged ports
#iptables -A INPUT -i $EXTIF -d $ANY -p tcp --dport 0:1023 -j DROP
#iptables -A INPUT -i $EXTIF -d $ANY -p udp --dport 0:1023 -j DROP

# RW Instead, we allow packets arriving from the external interface on
# all TCP and UDP ports apart from those we specify below.
# See man iptables:
# -A xxx     Add rule for chain xxx.
# -i         Interface.
# -d         Destination IP address or range, with subsequent number meaning port or port range.
#            eg -d 1:1023
# -s         Likewise source.
# -p         Protocol.
# -j         Jump to something like DENY or Masquerade.
# First, refuse to forward any IP addresses from outside which have
# destinations in a private network range.

iptables -A INPUT -i $EXTIF -d       -j DROP
iptables -A INPUT -i $EXTIF -d    -j DROP
iptables -A INPUT -i $EXTIF -d   -j DROP

# Now deny specific ports:

#                                                                FTP
iptables -A INPUT -i $EXTIF -d $ANY -p tcp --dport   21 -j DROP
iptables -A INPUT -i $EXTIF -d $ANY -p udp --dport   21 -j DROP

#                                                                NFS
iptables -A INPUT -i $EXTIF -d $ANY -p tcp --dport  111 -j DROP
iptables -A INPUT -i $EXTIF -d $ANY -p udp --dport  111 -j DROP

#                                                                Samba
iptables -A INPUT -i $EXTIF -d $ANY -p tcp --dport  139 -j DROP
iptables -A INPUT -i $EXTIF -d $ANY -p udp --dport  139 -j DROP

#                                                                More NFS guff
iptables -A INPUT -i $EXTIF -d $ANY -p tcp --dport 1011 -j DROP
iptables -A INPUT -i $EXTIF -d $ANY -p udp --dport 1011 -j DROP

iptables -A INPUT -i $EXTIF -d $ANY -p tcp --dport 1024 -j DROP
iptables -A INPUT -i $EXTIF -d $ANY -p udp --dport 1024 -j DROP

iptables -A INPUT -i $EXTIF -d $ANY -p tcp --dport 1025 -j DROP
iptables -A INPUT -i $EXTIF -d $ANY -p udp --dport 1025 -j DROP

#                                                                MySQL
iptables -A INPUT -i $EXTIF -d $ANY -p tcp --dport   21 -j DROP
iptables -A INPUT -i $EXTIF -d $ANY -p udp --dport   21 -j DROP

# Many others to go here?

# RW We don't do this:
## Deny TCP connection attempts
#iptables -A INPUT -i $EXTIF -p tcp --syn -j DROP

# RW Or this!
## Deny ICMP echo-requests
#iptables -A INPUT -i $EXTIF -s $ANY -p icmp --icmp-type echo-request -j DROP

# Do masquerading
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr


Configuring named

Important update 2009-05-14

It is vital that the caching namesever functions only be available to servers on the LAN.  When I wrote this page, I didn't think about this.  What I wrote sets named up to be a recursive nameserver which responds to queries from the entire Internet.  This is known as an Open Recursive Nameserver (but for search-engine-bait: "open nameserver").

This means an attacker can use the nameserver as part of a DDoS attack (Distributed Denial of Service).  Let's say the attacker's victim is at  The attacker sends a packet to my nameserver with a spoofed source address of  The request causes my nameserver to send the reply to that address.  

I found this happening, every few seconds, for the one victim address.  The request was for a long TXT answer from a particular domain, operated by the attacker, to make the reply packet nice and long.  The attacker's request packet to my server was short (71 bytes) and my server was sending a reply packet to the victim IP address, consisting of two 1492 byte packets and one of 1165 bytes.  This was happenning every few seconds.  So my nameserver was acting as a 58:1 amplifier of the effort of this attacker.   The burden of packets on the destination IP address would have been immense, assuming many other nameservers such as mine were being used in the same way.

More on this at:

Open Recursive Nameservers What?s the problem with that?
Students:  P. van Abswoude, P. Tavenier
Supervising teachers:  J.P. Velders, K. Koymans
System and Network Engineering, University of Amsterdam
Final Version February 5, 2007


A partial answer is to include the following line in named.conf:

allow-recursion {; };

This goes anywhere in the "options { . . . };" section.

It prevents named from properly answering any queries for domains other than the ones it is authoritative for, when the requests originate from outside my LAN.

This was suggested by the  section 5.2.1 of the above-linked report.  The format for the "address_match_list" for bind 9 is at http://www.bind9.net/manual/bind/9.3.2/Bv9ARM.ch06.html#address_match_lists .

However . . .

. . . the nameserver still responds with a shorter message, including the "hints" file - the list of root nameservers.  So when configured like this, there are less bytes sent to the victim, but still more than the attacker sent, so there is still amplificatation of the attacker's efforts.

The real solution is more complex - and I haven't yet implemented it: "split views", along the lines of:


I am not sure yet whether this would stop the server replying with the hints file.

This machine has the zonefiles for several domains and is one of the two authoritative servers for those domains.  The other is my USA-based server: sf.firstpr.com.au.

named needs to be set up here as a caching nameserver to handle queries from machines on the LAN and then to be use the zonefiles, and allow sf.firstpr.com.au to update itself from these files.

There is no /etc/named.conf.  man named includes this:

It is not necessary to run named in a chroot environment if the Red Hat SELinux policy for named is enabled. When enabled, this policy is far more secure than a chroot environment.

I turned off SELinux, so I guess I should use the chroot approach, which involves files in /var/named/chroot/var/named/ .


With this extra security comes some restrictions: By default, the SELinux policy does not allow named to write any master zone database files. Only the root user may create files in the $ROOTDIR/var/named zone database file directory (the options { "directory" } option), where $ROOTDIR is set in /etc/sysconfig/named.

/etc/sysconfig/named currently has: ROOTDIR=/var/named/chroot .

I need to rewrite my named configuration since it was bind8 in RH7.2 and this is bind9 in CentOS 5.1.

Red Hat have a GUI program system-config-bind to generate the /etc/named.conf file.  This is in a package "system-config-bind" which was not installed.  So I install it: "yum install system-config-bind".  I was hoping to avoid depending on any GUI stuff.  I figure if I knew plenty about bind9 I wouldn't need it, but life is too short . . .


It finds no BIND configuration and so asks to install a default configuration.  OK.

This does not create an /etc/named file.   This creates the following in /var/named/chroot/etc/named.conf:

// Red Hat BIND Configuration Tool
// Default initial "Caching Only" name server configuration

options {
    directory "/var/named";
    dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
     * If there is a firewall between you and nameservers you want
     * to talk to, you might need to uncomment the query-source
     * directive below.  Previous versions of BIND always asked
     * questions using port 53, but BIND 8.1 uses an unprivileged
     * port by default.
     // query-source address * port 53;

zone "." IN {
    type hint;
    file "named.root";

zone "localdomain." IN {
    type master;
    file "localdomain.zone";
    allow-update { none; };

zone "localhost." IN {
    type master;
    file "localhost.zone";
    allow-update { none; };

zone "0.0.127.in-addr.arpa." IN {
    type master;
    file "named.local";
    allow-update { none; };

zone "" IN {
        type master;
    file "named.ip6.local";
    allow-update { none; };

zone "255.in-addr.arpa." IN {
    type master;
    file "named.broadcast";
    allow-update { none; };

zone "0.in-addr.arpa." IN {
    type master;
    file "named.zero";
    allow-update { none; };

include "/etc/rndc.key";

The following files and empty directories are in /var/named/chroot/var/named/ :

/data              4096 Aug 26  2004 
/slave             4096 May  6 17:14
/slaves            4096 Jul 28  2004 

 localdomain.zone   208 Apr 29  2005 
 localhost.zone     195 Apr 29  2005 
 named.broadcast    427 Apr 29  2005 
 named.ip6.local    424 Apr 29  2005 
 named.local        426 Apr 29  2005 
 named.root        1276 May  6 17:14 
 named.zero         427 Apr 29  2005    

I try the GU program's "New" menu item and try adding a new zone: Internet (click OK) Forward (click OK, then enter a dummy zonefile name for now "blah.com." - note the trailing dot) Master (click OK).  The next window has a bunch of stuff which goes in the zone file.  I leave the defaults, but am not sure what to do with the Zone File Path, which is currently "blah.com.db".  It seems this is the name of the file it is going to write.  When I click OK, a new item appears in the list in the main window of the program: "blah.com".  Nothing has been written to /var/named/chroot/var/named/ yet.  But if I click the Save button, then a file is created there: blah.com.db :

@       SOA     gair.firstpr.com.au.    root.gair.firstpr.com.au. (     2
                                                1H )
        NS      gair.firstpr.com.au.

Also, this has been added to /var/named/chroot/etc/named.conf :

zone "blah.com." IN {
        type master;
        file "blah.com.db";

This looks compatible with the way I specified the zone files in my old /etc/named.conf.  The ".db" in the zonefile name is just a convention and is not needed.

Back at the GUI program, I can select this "blah.com" Internet Forward Zone and add things to it by right-clicking it.  I try adding a second nameserver, the text name of my US machine "sf.firstpr.com.au".  The GUI program stupidly appends "blah.com." to the end of it . . .  I edit it to "sf.firstpr.com.au." and it is happy.  After clicking "Save", the blah.com.db file becomes:

@       SOA     gair.firstpr.com.au.    root.gair.firstpr.com.au. (     3
                                                1H )
        NS      gair.firstpr.com.au.
        IN      1H      NS      sf.firstpr.com.au.

Note the 2 became 3 - this is the serial number or whatever by which named recognises that the file is different from what was there before.

This format for the second authoritative nameserver is a little different from what is in my old zonefiles:

        IN NS   gair.firstpr.com.au.
        IN NS     sf.firstpr.com.au.

I am trying to figure out to what extent I can copy the old zone files.  I guess I can . . .

I try adding an A (IPv4 address), without using the "Create Reverse Mapping Record".  This is for "www.blah.com." with a caching time of 1 hour 7 minutes and an IP address of  Each time I use Save, there is a backup file is created in the same directory with the same name but with the date and time appended to the name.  These could clutter things up, but they are easily deleted manually.

Now the file is like this:

@       SOA     gair.firstpr.com.au.    root.gair.firstpr.com.au. (     4
                                                1H7M )
        NS      gair.firstpr.com.au.
        IN      1H7M    NS      sf.firstpr.com.au.
www     IN      1H7M    A

Hmmm - that one "1 hour 7 minutes" for this one item affected the caching time of the whole zonefile.

I add an MX record.  The default caching time is now "1 hour 7 minutes".  I enter one with priorty 10 "gair.firstpr.com.au.".  Since I used a dot at the end of the name, the GUI program didn't append "blah.com.".  I added another with priority 20 "sf.firstpr.com.au."

I added an A record for "blah.com." = and the resulting file was:

@       SOA     gair.firstpr.com.au.    root.gair.firstpr.com.au. (     6
                                                1H7M )
        NS      gair.firstpr.com.au.
        IN      1H7M    NS      sf.firstpr.com.au.
        IN      1H7M    MX      10      gair.firstpr.com.au.
        IN      1H7M    MX      20      sf.firstpr.com.au.
        IN      1H7M    A
www     IN      1H7M    A

This looks good.  I recall that in bind8 at least, the unnamed IN record for the host name with the same name as the domain must come before the others.  Still, this is not a complete file, if I was doing it for firstpr.com.au instead, since I would need to specify the IP addresses of gair and sf as well.

It is not clear how to use the GUI program to add a subdomain.  In bind8 I did it like this:

                ; Subdomain exp.firstpr.com.au

exp            IN NS          gair.firstpr.com.au.
               IN NS            sf.firstpr.com.au.

Apart from these caching time "1H7M" things, the new file format looks compatible with my old ones.  So I will try copying those zone files to /var/named/chroot/var/named/ and adding the same text as I used before, for each, in /var/named/chroot/etc/named.conf .

First, I want to see how I can use the GUI program to specify an Access Control List so the one IP address which named on the US server uses will be allowed to retrieve updated information for the various zones for which it is a slave.

At the top of the GUI window list is "DNS Server".  By right clicking this (I can start this server with one of these right-click options . . . ) I can add an "Access Control List".  I give the list the name "sf-firstpr" and the IP address  After "Save", the new line in /var/named/chroot/etc/named.conf: is immediately after the first few lines of comments:  (Did it convert "-" to "."?)

acl sf.firstpr {;

I also add "Controls": addresses to listen on: (the IP address of the ADSL service) with port 53, not port "953" as the GUI program presented as the default value.  Clicking OK at the bottom leads to an error message in the xterm I gave the initial command in.  The problem is with DNS.py and is "invalid literal for int(): ort 53".  I try again with 953 and get the same message, but for "rt 953".  So this part of the program is buggy.

So far the results of this system look compatible with my old file fomat, so I abandon this GUI program and copy the old config stuff.

I deleted the "blah.com.db" file and its backups, but this turned out to be incomplete - since system-config-bind would not start after that.  This was fixed by removing the relevant lines in /var/named/chroot/etc/named.conf .

I copy the old zone files to the new directory, remove the blah.com.db file, add lines such as this to /var/named/chroot/etc/named.conf:

zone "firstpr.com.au" in {
        type master;
        file "firstpr.com.au";

My new /var/named/chroot/etc/named.conf file starts with the ACL to allow the US server to access these zonefiles:

// Red Hat BIND Configuration Tool
// Default initial "Caching Only" name server configuration

acl sf.firstpr {;
options {
        directory "/var/named";
        dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
        //query-source address * port 53;

        // RW -----------------------
        // I added these two:

        allow-transfer { sf.firstpr; };

        listen-on {;
          ; };

        allow-recursion {; };  //  See Important Update above


At the end, I add references to zonefiles like this:

zone "astroneu.com" in {
        type master;
        file "astroneu.com";

zone "firstpr.com.au" in {
        type master;
        file "firstpr.com.au";

and start named:

/etc/rc.d/init.d/named restart

Stop failed, since it wasn't running.  Once I fixed some typos, Start worked fine too.  Problems with it starting are explained in /var/log/messages.

So named is running fine.

Final configuration of Postfix

(I will tackle Postfix configuration with the SPF later - to help reduce the backscatter messages my system generates.)

The machine is on the Net, with its fixed IP address, nameserver, IMAP server and LAN working, but not yet NAT . . .

Mail filtering should be OK.  I just need to configure Postfix to run as gair, rather than the test machine nair, and start it.

In /etc/postfix/main.cf I add or alter the following items.

This is probably not needed:

myhostname = gair.firstpr.com.au

Maybe this isn't needed either, but I like to make it explicit.

myorigin = firstpr.com.au

This is needed, the other domains for which this machine is the primary or seconary mailserver:

mydestination = firstpr.com.au astroneu.com

The Trust and Relay Control section is really important.  I tell Postfix to trust machines on the LAN.

mynetworks =

There is some information on setting up two Postfix machines to be primary and backup mailhosts: http://www.akadia.com/services/postfix_mx_backup.html .  I don't use the transport_maps portion of this.

I understand it has long been standard practice to have at least one backup mailserver for each domain, however I understand that another school of thought is to have only one mailserver, and rely on sending MTAs to hold their messages for a while if the one mailserver is down.  If this occurs, there is no real purpose in having a backup, since no-one plans to have their mailserver down for longer than the week or so (?) that an MTA will try to send the message for.  Spammers often send messages to the backup mailserver, if there is one.

Since all the domains for which these two servers are primary and secondary for are listed in my "mydestination" variable, as just mentioned, all that needs to be in both machine's main.cf files is:

relay_domains = $mydestination
smtpd_recipient_restrictions = permit_mynetworks, check_relay_domains
This is based on a file which is no longer in the Postfix distribution: /etc/postfix/samples/sample-smptd.cf.  Google can't find such a file on the site http://www.postfix.org but there is a copy at: http://www.paccomp.com/postfix/node28.html   So perhaps this is not the way to do backup mailservers with the current version of Postfix.

Now I restart Postfix . . . /etc/rc.d/init.d/postfix restart

/var/log/maillog shows messages coming in from the outside world, as well as a test message I sent myself.  They are not being delivered since I have a syntax error in my .mailfilter file . . .  I fix it  - and all is well.